Pages

Saturday, March 15, 2008

Google on Data Security and Confidential information

Many organization's do the same thing that Google is doing about security :

1) Philosphy - Data security should always be taken care of continously from the begining of the project.

2) Technology - Using encryption is not just enough because your keys will be lying everywhere and no matter how smart your security software is there is always a hole from where the light gets in. Company's use the best breed of technology but still there are breaches and infact many a times breaches don't even get out of the company, has it ever happened to google and we were unaware of ?

3) Process - Process are everywhere but there are people who never like roadblocks in place and will do whatever to break the rules and processes and as far as I know Geeks don't like to follow what is there, they like to make their own way. And your checks about who has access to what data always boils down to upper management because they are too busy to pay attention or are preparing for their next interview.

4) People - Ofcourse google has the best people and as i earlier said geeks don't like to be stopped by roadblocks, they want to be free and if they build something they know how to break it.

In short, There is no such thing as foolproof security but companies constantly need to review and revise new strategies to fight hackers and not to forget that 80% of attacks come from the enemies at the watercooler.

Read more about how google handles confidential below:

Philosophy: First is our philosophy. At Google, security is a continuous process. We don't just "check" a product for security before we launch it -- we are thinking about security before the product is even created, and we are building it in throughout the product's development. Also critical is our belief in layered protection. It's much like securing your house. You put your most private information in a safe. You secure the safe in your house, which is protected with locks and possibly an alarm system. And then you have the neighborhood watch program or the local police monitoring your neighborhood. It's very similar at Google. Our most sensitive information is difficult to find or access (the safe). Our network and facilities (the house) are protected in both high- and low-tech ways: encryption, alarms, and other technology for our systems, and strong physical security at our facilities. And finally, we've learned that when security is done right, it's done best as a community (the neighborhood); we encourage everyone to help us identify potential problems and solutions. Researchers who work at security and technology companies all over the world are constantly looking for security problems on the Internet, and we work closely with that community to find and fix potential problems.

Technology: These layers of protection are built on the best security technology in the world. While we employ products developed by others in the security community, we build a lot of our security technology ourselves. Some of the most innovative components of our security architecture focus on automation and scale. These are important to us because we're handling searches, emails, and other activities for millions of users every day. To keep our security processes a step ahead, we automate the way we test our software for possible security vulnerabilities and the way we monitor for possible security attacks. We're also constantly seeking more ways to use encryption and other technical measures to protect your data, while still maintaining a great user experience.

Process: In addition to technology, we have a set of processes that dictate how we secure confidential information at Google and who can access it. We carefully manage access to confidential information of any sort, and very few Googlers have access to what we consider very sensitive data. This is in no small part because there's very little reason for us to provide that access -- most of our processes are automated, and don't require much human intervention. Of course, the limited number of people who are granted access to sensitive data must have special approval. And while we hold ourselves to a very high standard, we also work to ensure that our processes meet (and in many cases exceed) industry standards. These include audits for Sarbanes-Oxley, SAS 70, PCI (payment card industry) compliance, and more. By working with independent auditors, who evaluate compliance with standards that hold hundreds of different companies to very rigorous requirements, we add another layer of checks and balances to our security processes.

People: The most important part of our approach to security is our people. Google employs some of the best and brightest security engineers in the world. Many of our engineers came from very high-profile security environments, such as banks, credit card companies, and high-volume retail organizations, and a large number of them hold PhDs and patents in security and software engineering. As you can imagine, our engineers are smart and curious and are on the lookout for security anomalies and best practices in the industry. Our engineers have published hundreds of academic papers on technically detailed topics such as drive-by downloads that install malware (PDF file) or hostile virtualized environments. (You can find some of these papers here.) What's more, we cultivate a collaborative approach to security among all of our engineers, requiring everyone to pass a coding style review (which enables us to control the type of code used here and how it's used in order to prevent software problems) and ensuring that all code at Google is reviewed by multiple engineers so that it meets our software and security standards.

No comments:

Buy Me Coffee!!!

Follow by Email

My Tweets!!

Facebook Badge

Total Pageviews

My Blog List

Contact Form

Name

Email
*

Message
*

DISCLAIMER

All posts, comments, views expressed in this blog are my own .The intention of this blog is to share my experience and views. Content is subject to change without any notice. While I would do my best to quote the original author or copyright owners wherever I reference them, if you find any of the content / images violating copyright, please let me know and I will act upon it immediately. Lastly, I encourage you to share the content of this blog in general with other online communities for non-commercial and educational purposes.